I have some malware infecting one of our machines at home. It first showed up as winulty.exe. After investigating, I am of the opinion that winulty.exe itself is an uninfected file but is being modified after it has loaded into memory. Turning on Data Execution Prevention for all processes and services has confirmed this to be true.

How do I track down the process responsible for this? I've used File Monitor from sysinternals.com to monitor winulty.exe and see this being accessed by the svchost.exe instance hosting most of the system services and also by dfrgntfs.exe. How do I know which service or which DLL has been infected?

5 Answers
5

Are you sure it is the correct instance of SVCHOST.EXE? How did you determine it? What version of Windows is it?

Repeat what you did before, but this time, look at the PID of the instance of SVCHOST.EXE that wrote to WINULTY.EXE’s memory, then run Process Explorer—also from Sysinternals—(make sure to run it as administrator), and double-click on the instance of SVCHOST.EXE that has the PID you noted. Now look in the Services tab to see what services that instance is hosting. Hopefully there won’t be too many services (ideally just one) in that instance. Depending on what services are hosted by it, you can try stopping them to see if it continues. If WINULTY.EXE only gets infected after booting, then again, depending on what services are hosted (you can post them in a comment for advice or refer to Black Viper’s guides), you can try disabling them to see if it continues after rebooting.

The easiest way is to just run an antivirus scan; you can't really know how many files have been infected so deleting them yourself might be problematic. It should pick up and quarantine all the infected files.

winulty is not detected up by ad-aware, spybot, AVG. The best way to get rid of it is with a Trojan detector, such as Trojan-Remover that lets you test-drive it for 30 days. I have encountered this virus this week and in October of last year, and my wife got one last week and I found another on her machine today.